CVE-2021-22125 — OS Command Injection in Fortinet Fortisandbox

CWE-78 — OS Command Injection CWE-77 — Command Injection4 documents4 sources

Severity

7.2HIGHNVD

CNA6.3

EPSS

0.3%

top 46.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortisandbox Fortinet Fortisandbox

Timeline

PublishedJul 20

Latest updateMay 24

Description

An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3.2.2 may allow an authenticated administrator to execute commands on the underlying system's shell via altering the content of its configuration file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortisandbox< 3.2.2

▶CVEListV5fortinet/fortinet_fortisandboxFortiSandbox before 3.2.2

🔴Vulnerability Details

GHSA

GHSA-8mhv-844g-7793: An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3↗2022-05-24

▶

CVEList

CVE-2021-22125: An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3↗2021-07-20

▶

📋Vendor Advisories

Fortinet

An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3.2.2 may allow...↗2021-07-20

▶